xworm | ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9 | Triage

Sharing

General

Target

ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9.bat
Size

275KB
Sample

240823-czbkratbjl
MD5

536ac91b5fe6a53fd85f5d7b609dc591
SHA1

5fb565c1bec3e386642e921c34ea365fbcb07127
SHA256

ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9
SHA512

b47aeba5a1abdcd8b1b6ba67663fb199fca22a21c1417aa830d042268f6c810b9abf246b964d7dc76497b009f8d54e77c1b0f38e5c775097b9fa15dbd19b748f
SSDEEP

6144:h1E5NlqQRcu+pHfFQS7w1bUyntarmxcGqKxH1279F:h1E5qz9H9T7w1bUotqgRH+

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

95.98.144.201:2404

Mutex

JnG5DxKNjDpRvsxT

Attributes

Install_directory
%Temp%
install_file
e45iasd.exe
telegram
https://api.telegram.org/bot6421494903:AAFuoWigwh2-oDYMZFAWqzFsbHJABidzW1Q

aes.plain

Targets

- Target
  
  ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9.bat
- Size
  
  275KB
- MD5
  
  536ac91b5fe6a53fd85f5d7b609dc591
- SHA1
  
  5fb565c1bec3e386642e921c34ea365fbcb07127
- SHA256
  
  ae4100252450220b4f7d39214d4660894ee149d9c96a885f844f0652283198e9
- SHA512
  
  b47aeba5a1abdcd8b1b6ba67663fb199fca22a21c1417aa830d042268f6c810b9abf246b964d7dc76497b009f8d54e77c1b0f38e5c775097b9fa15dbd19b748f
- SSDEEP
  
  6144:h1E5NlqQRcu+pHfFQS7w1bUyntarmxcGqKxH1279F:h1E5qz9H9T7w1bUotqgRH+
Score

10^/10

execution xworm persistence rat trojan
- Detect Xworm Payload
- Xworm
  Xworm is a remote access trojan written in C#.
  trojan rat xworm
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
  Run Powershell and hide display window.
  execution
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
  persistence
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

xwormexecutionpersistencerattrojan